An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network system, or data and who, (3) through action or inaction without malicious intent, (4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability.
…it’s unrealistic to expect every single user to avoid falling victim to the attack. User education may not be an effective preventative measure against this kind of phishing. Education can, however, be effective for encouraging users to report phishing emails. A well-designed incident response plan can help mitigate the impact of attacks.
Defense 1 – Filter emails at the gateway. The first step stops as many malicious emails as possible from reaching users’ inboxes….
Defense 2 – Implement host-based controls. Host-based controls can stop phishing payloads that make it to the end user from running. Basic host-based controls include using antivirus and host-based firewalls…
Defense 3 – Implement outbound filtering. Outbound filtering is one of the most significant steps you can take to defend your organization’s network. With proper outbound filtering, attacks that circumvent all other controls can still be stopped…
A mature governance structure is essential to effectively develop, deploy, and manage an insider threat program. The CERT Insider Threat Center recommends that the organization implement a governance structure that enables the insider threat program to
Maintain an updated knowledge base related to insider threats including staying current with the latest research and capturing lessons learned.
· Provide support to the insider threat program stakeholders to ensure the groups are meeting their objectives, providing the appropriate inputs to the insider threat program manager and appropriately communicating results and decisions to other insider threat program stakeholders.
· Monitor governance practices to ensure that governing bodies are meeting insider threat program needs, to make recommendations for improvement, and to refine the measures as needed.
· Capture and communicate insider threat program success stories to internal and external stakeholders to increase program support.
· Execute a comprehensive program-risk-management approach and required procedures for insider threat program stakeholders.
· Perform processes including budgetary review, the development of future technical requirements, continuous operation procedures, and risk management.
· When applicable, facilitate both formal and informal Continuous Diagnostic Monitoring (CDM) governance training for the CDM program staff, departments and/or agencies (D/As), partners, and stakeholders.
· Maintain and execute the program schedule for updating charter guidance, procedures, and policies based on ongoing lessons learned (both internally and externally), best practices, and stakeholder input.